sound auction specification and implementation · sound auction speciﬁcation and implementation...

Sound auction specification and implementation

Marco Caminati1 Manfred Kerber1

Christoph Lange2 Colin Rowat3

1Computer Science, University of Birmingham2Fraunhofer IAS and University of Bonn3Economics, University of Birmingham

18 June, 2015EC’15

https://github.com/formare/auctions

1 / 24


Introduction

Outline

1 Introduction

2 Successes of mechanised reasoning

3 Combinatorial Vickrey’s auctions

4 Sound specification

5 Code extraction

6 Conclusions

2 / 24

Introduction

Two problems & a unified solution

How can we be sure that:1 an auction design is soundly specified, possessing the properties

that its designers wish it to have?2 an actual auction faithfully implements the intended design?

failure on either front can be very costlytypical solution: playtest the design

Dijkstra: “testing shows the presence, not the absence of bugs”our unified solution

1 use mechanised reasoning to prove properties on the design2 extract verified executable code to run it

mechanised reasoners perform logical operations1 check existing proofs / codify knowledge2 search for new proofs

we work with Isabelle, a higher-order logic theorem prover

3 / 24

Successes of mechanised reasoning

Outline

1 Introduction




5 Code extraction

6 Conclusions

4 / 24


Pure maths

Example (Four colour-map theorem [AH77; AHK77; Gon08])exhaustive computations required to originally prove the theoremin doing so, corrected some human experts’ calculationsmechanized proof checkers have confirmed these results formally

Example (Kepler’s conjecture (1611) [Hal05; Hal12])Hales’ original proof: 120 pages and > 500MB of computer code12 referees took five years to become “99% certain” he was rightHales founds Project Flyspeck to establish a formal proof2014: Flyspeck complete

Example (Robbins’ conjecture [HMT71; McC97])beguilingly simple, but open for 60 years, a favourite of TarskiMcCune’s solver generated a 17-step proof, later reduced to eight

5 / 24


Software verification [Woo+09]

a computer programme defines a logical universe within whichcertain statements may or may not be trueproof assistants can seek to prove or disprove these statementsas theorems

Example (commuter rail systems)No two trains shall occupy the same location at the same time.

Example (financial transactions software)Transactions do not create or destroy value, but merely transfer it.

6 / 24


Hardware verification

Example (1994: Pentium floating point division bug)worst known relative error 0.006%Intel calculated typical user would be affected once in 9 billiondivision operationscost Intel $475mnmodel chips as logical systems (AND, OR, etc. gates)prove theorem for each property to be implemented [Har06]

7 / 24


Economic theory

Example (Subsuming Arrow’s impossibility theorem [TL09])manual induction proof: Arrow’s theorem holds if it holds on abase case of 2 agents and 3 alternativescomputer exhaustively verifies the theorem on all base casesmanual inspection of the computationally generated base casesidentified a new theorem subsuming Arrow’sChatterjee and Sen [CS14]: “As far as we know . . . the onlyArrow-type result . . . that does not use an axiom other than IIA”

Example (Ranking sets of objects [GE11])which axioms are mutually incompatible [BBP04]?computational sweep of small domains for each set of axiomsgenerated 84 impossibility theorems & resolved an open questioncan also make statistical observations

8 / 24

Combinatorial Vickrey’s auctions

Outline

1 Introduction




5 Code extraction

6 Conclusions

9 / 24

Combinatorial Vickrey’s auctions

A combinatorial Vickrey’s auction [q.v. AM06]

agents: 0, . . . ,N, with 0 the seller, the rest biddersseller’s endowment: Ω , ∅, indivisible goodsallocation: pairwise disjoint subsets of Ω, X0, . . . ,XNbids: bn (X) ,∀X ⊆ Ωsolve for allocations, prices in the winner determination problem:

X ∗ ∈ arg maxX1,...,XN

N∑n=1

bn (Xn) s.t.N⋃

n=1

Xn ⊆ Ω & Xn ∩ Xn′ = ∅ for n , n′

pn ≡ αn −∑m,n

bm (X ∗m) (1)

where

αn ≡ maxXm

m=1,...,N

∑m,n

bm (Xm)∣∣∣ ⋃

m,n

Xm ⊆ Ω & Xm ∩ Xm′ = ∅ for m , m′

is the value when solved without n’s bids.rerun the WDP over random bids to break ties 10 / 24

Sound specification

Outline

1 Introduction




5 Code extraction

6 Conclusions

11 / 24

Sound specification

Formally defining a VCG auction

1 the set of possible allocations2 f (), which solves the WDP3 vcga applies f () twice, the 2nd time with random bids to break ties4 vcgp solves for prices (1)

abbreviation “vcgas N Ω b r == Outsideseller‘((argmax setsum) (randomBids N Ω b r)((argmax setsum) b (allAllocations (seller ∪ N) (set Ω))))”

abbreviation expands “vcgas” (like a preprocessor macro)vcgas takes N,Ω,b and r as arguments

3 applies f () to bids b, returning the value-maximizing allocations2 applies f () to the value-maximising allocations, using randomBids1 “Outsideseller” excludes seller from the domain

12 / 24

Sound specification

VCG auctions are functions

Theorem

Consider a combinatorial VCG auction. Given any set of goods andfeasible bid vectors, and a random number, r, there is exactly onesolution to the WDP at prices pn as defined in equation (1).

as Isabelle accepts vcgas, it is a (total) function, mapping fromevery element of its domain to a unique resultit remains to prove that vcgas returns a singleton

theorem vcgaDefiniteness :assumes “distinct Ω” and “set Ω , ” and “finite N”shows “card (vcgas N Ω b r) = 1”

“distinct” states that Ω contains each good exactly once“card” returns the cardinality of finite sets (n.b. 0 for ∅,∞ sets)

13 / 24

Sound specification

Proving that vcgas returns a singleton

1 proof−2 have “card ((argmax setsum) (randomBids N Ω b r)3 ((argmax setsum) b (allAllocations (N ∪ seller) (set Ω)))) = 1”4 (is “card ?X = 1”) using assms lm08 by blast5 moreover have “(Outside′seller) ‘ ?X = vcgas N Ω b r” by blast6 ultimately show ?thesis using cardOneImageCardOne by blast7 qed

proof begins the proof; the − switch selects manual inferencehave . . . using . . . by structures the proof:

have asserts the expressions to be provedusing introduces the facts to be used in discharging the proofobligationby invokes a specified proof method

14 / 24

Sound specification

Proving that vcgas returns a singleton

lines 2, 3: claims the cardinality of the set of solutions to thesecond WDP (prior to removing the seller’s allocation) is 1line 4: establishes it by applying a proof method called blast to thetheorem’s assumptions, assms, and a pre-existing lemma

blast manipulates ‘simple’ objects in higher-order logicLemma cardOneImageCardOne can quantify over all functions andsets, but need only do so over function Outside′seller and set ofallocations ?X

line 5: Outside′seller‘A is a singleton whenever A isline 6: ultimately refers to previously established results prefixedby moreovershow notes that we next seek to establish ?thesis, the proofobligation at the current level of reasoning

15 / 24

Sound specification

Other theorems formally proved

Theorem

Consider a combinatorial VCG auction. Then the sets X ∗1, . . . ,X∗

N arepairwise disjoint.

Theorem

Consider a combinatorial VCG auction. Then g ∈ X ∗m implies g ∈ Ω.

TheoremFor a VCG auction, the prices defined in (1) are non-negative ∀n ∈ N.

16 / 24

Code extraction

Outline

1 Introduction




5 Code extraction

6 Conclusions

17 / 24

Code extraction

Classical and constructive definitions1 classical definitions

often intuitive, expressed in terms of characterising propertiesno information on how to compute

Example (Classical set maximum)

MaxX ≡x ∈ X

∣∣∣@y ∈ X s.t. y > x

2 constructive definitionsless useful in proving theorems as no mention of characterisingpropertiescomputable

Example (Computable set maximum)

define the helper function max in the usual way on pairs of objects

define the base case for the inductively defined Max a = a

define the recursive step Max (a ∪ A) = max (a,Max a)

18 / 24

Code extraction

Bridging theorems

our classical definition of injections is non-computable

“injections X Y =

R . DomainR = X ∧ Range R ⊆ Y ∧ runiq R ∧ runiq(R−1)”.

for finite sets, we define a computable version

fun injections_algwhere “injections_alg [] Y = []” |

“injections_alg (x#xs) Y = concat [[R + ∗(x , y).y ← sorted_list_of_set(Y − Range R)].R ← injections_alg xs Y ]”

a bridging theorem shows their equivalence

theorem injections_equiv : assumes “finite Y ” and “distinct X ”shows “set (injections_alg X Y) = injections (set X) Y ”

19 / 24

Conclusions

Outline

1 Introduction




5 Code extraction

6 Conclusions

20 / 24

Conclusions

we apply mechanised reasoning to a well-known auction design1 formally prove basic ‘soundness’ properties of that design

2 extract verified code from the sound design to execute it

3 easily alter definitions (e.g. replace vcgp with a 1st price function)all proofs above go through immediately, except non-negative prices(which becomes easier)

in doing so, we are building an auction theory toolbox:https://github.com/formare/auctions

next steps?1 apply the above techniques to novel auctions

more valuable in more complex auctions2 automated search for new results in auction theory

21 / 24


Appendix References

References I

[AH77] Kenneth Appel and Wolfgang Haken. “Every Planar Map is FourColorable Part I: Discharging”. In: Illinois Journal of Mathematics 21.3(1977), pp. 429–490.

[AHK77] Kenneth Appel, Wolfgang Haken, and John Koch. “Every Planar Map isFour Colorable Part II: Reducibility”. In: Illinois Journal of Mathematics21.3 (1977), pp. 491–567.

[AM06] Lawrence M. Ausubel and Paul Milgrom. “The Lovely but Lonely VickreyAuction”. In: Combinatorial auctions. Ed. by Peter Cramton,Yoav Shoham, and Richard Steinberg. MIT Press, 2006. Chap. 1,pp. 17–40.

[BBP04] Salvador Barberà, Walter Bossert, and Prasanta K. Pattanaik. “Rankingsets of objects”. In: Handbook of Utility Theory. Ed. by Salvador Barberà,Peter J. Hammond, and C. Seidl. Vol. II. Dordrecht: Kluwer AcademicPublishers, 2004, pp. 893–977.

22 / 24

Appendix References

References II

[CS14] Siddharth Chatterjee and Arunava Sen. “Automated Reasoning In SocialChoice Theory – Some Remarks”. In: Mathematics in Computer Science8.1 (2014), pp. 5–10.

[GE11] Christian Geist and Ulle Endriss. “Automated search for impossibilitytheorems in social choice theory: ranking sets of objects”. In: Journal ofArtificial Intelligence Research 40 (2011), pp. 143–174.

[Gon08] Georges Gonthier. “Formal proof – the four color theorem”. In: Notices ofthe AMS 55.11 (2008), pp. 1382–1393.

[Hal05] Thomas C. Hales. “A proof of the Kepler conjecture”. In: Annals ofMathematics 162.3 (2005), pp. 1065–1185.

[Hal12] Thomas Hales. Dense Sphere Packings. A Blueprint for Formal Proofs.London Mathematical Society Lecture Note Series 400. CambridgeUniversity Press, Sept. 6, 2012.

[Har06] John Harrison. Floating-Point Verification using Theorem Proving. Ed. byMarco Bernardo and Alessandro Cimatti. Bertinoro, Italy, 2006.

23 / 24

Appendix References

References III

[HMT71] Léon Henkin, James Donald Monk, and Alfred Tarski. Cylindric algebras,Part I. Vol. 64. Studies in Logic. North Holland, 1971.

[McC97] William McCune. “Solution of the Robbins problem”. In: Journal ofAutomated Reasoning 19.3 (1997), pp. 263–276.

[TL09] Pingzhong Tang and Fangzhen Lin. “Computer-aided proofs of Arrow’sand other impossibility theorems”. In: Artificial Intelligence 173.11 (2009),pp. 1041–1053.

[Woo+09] Jim Woodcock et al. “Formal method: practice and experience”. In: ACMComputing Surveys 41.4 (2009), pp. 1–40.

24 / 24

sound auction specification and implementation · sound auction speciﬁcation and implementation...

Documents